Banks, retailers play blame game in data breaches

Retail and banking groups are blaming each other for the lax security that recently allowed hackers to steal millions of credit card numbers from shoppers.

After massive security breaches at Target and Neiman Marcus, the head of the major retail trade association, the National Retail Federation, wrote a letter Tuesday to Congress blaming banks for foot-dragging on tougher security measures.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk," federation President Matthew Shay wrote to the leaders of the U.S. House and Senate.

Shay wrote that while banks were issuing those fraud-prone U.S. cards, they were also "touting the security benefits of next-generation 'pin and chip' card technology for customers in Europe and dozens of other markets."

The Independent Community Bankers Association responded angrily, expressing "shock and outrage" that retail groups were trying to shift the blame to the banks.

Retailers should be responding to the damage done, "rather than hurling false allegations blaming the banking industry for these retail breaches," the banking group's president, Camden Fine, said in a statement Wednesday.

Then he pointed the finger back at the retailers: "Nearly every retailer security breach in recent memory has revealed some violation of industry security agreements.

Advertisement

In some cases, retailers haven't even had technology in place to alert them to the breach intrusion, and third parties, like banks, have had to notify the retailers that their information has been compromised."

That pattern appears to have happened in the Target security breach. It was the Secret Service and JPMorgan Chase -- not Target -- that appeared to first notice problems arising at Target, after fraudulent charges began appearing and a flood of credit card data started turning up on the black market, the New York Times has reported.

The blame over card security is a prelude to another expensive fight -- who should bear the costs of the security breach.

Last week, the bankers' group urged Congress to pass legislation requiring that retailers and others suffering a data breach be held responsible for sharing the costs.

Making retailers liable for security breaches "will provide a strong incentive" to tighten up their security systems, the group wrote to the Senate.

The National Retail Federation is the retail industry's most prominent trade group, representing most major retailers, including Minneapolis-based Target Corp.

The Independent Community Bankers group represents about 7,000 banks that tend to be smaller and more regional.

Tom Webb can be reached at 651-228-5428. Follow him at twitter.com/ TomWebbMN.